Accepting a set of data in a computer unit

ABSTRACT

A method for transferring at least one data record from an external data source into a processor unit, e.g., and a suitably designed processor unit are described. In such a method for transcribing at least one data record from the external data source to a processor unit, the at least one data record is transmitted from the external data source together with additional information to a buffer memory of the process unit. A check of the admissibility of using the at least one data record is performed on the basis of the additional information. A blocking signal is generated when the check reveals that use of the at least one data record is not allowed. The at least one data record is then deleted from the buffer memory. An enable signal is generated when the use of the at least one data record is allowed. The additional information includes an identifier assigned individually to the processor unit, with the validity check being performed in the processor unit.

FIELD OF THE INVENTION

The present invention relates to a method for transferring at least onedata record from an external data source to a processor unit, as well asthe processor unit designed accordingly.

BACKGROUND INFORMATION

According to the method described in German Published Patent ApplicationNo. 100 43 499, at least one data record, which may be, for example,program code or information stored in a memory of a processor unit forfurther use and then used in the course of a program, is transmitted toa processor unit such as a control unit of a motor vehicle. The at leastone data record is transmitted together with additional information, forexample as a cohesive data packet, from the data source to the processorunit. The processor unit loads the transmitted data into a buffer memorybelonging to it. The processor unit then establishes contact with anexternal checking unit, in particular by remote data transmission,identifies itself with the external checking unit and transmits to thelatter at least a portion of the additional information. On the basis ofthe transmitted portion of the additional information and the identityof the processor unit, the external checking unit verifies whether ornot the use of the at least one data record in the processor unit isallowed. Depending on the result of this check, the processor unittransmits either an enable signal or a blocking signal. In the case whenthe blocking signal is transmitted, the at least one data record isdeleted from the buffer memory. Otherwise the at least one data recordthus transmitted is used in the processor unit.

It is desirable if the data records stored in processor units such asthe control units in motor vehicles are modifiable externally. This maybe accomplished, for example, for the purpose of updating such controlunits without having to replace the control unit. Data records may betransmitted to the control unit via remote data transmission or via asuitable interface connected to the processor unit such as a diagnosticinterface of a motor vehicle. The data records are provided on a datasource, which may be data memories or data processing devices.

It is first important to ensure that only authorized data records aretransmitted to and used by the processor unit. Any unallowed change inthe data records or input of data records that have not been enabledshould be prevented because using non-enabled data records may causeproblems in operation of the processor unit or other processor unitsconnected to that processor unit. Furthermore, the upload procedureshould be as simple as possible.

SUMMARY OF THE INVENTION

In the method according to the present invention for transcribing atleast one data record from an external data source to a processor unithaving the features of claim 1, the at least one data record istransferred together with additional information from the external datasource to a buffer memory of the processor unit. The reliability ofusing the at least one data record is checked on the basis of theadditional information. A blocking signal is generated if the checkreveals that use of the at least one data record is not allowed. The atleast one data record is then deleted from the buffer memory. An enablesignal is generated when the use of the at least one data record isallowed. According to the present invention, the additional informationincludes an identifier assigned individually to the processor unit, thevalidity check being performed in the processor unit.

Additional information containing an identifier is thus attached to thedata record. A check is performed in the processor unit to determinewhether the identifier is valid, i.e., whether it conforms to certaincheck criteria. If this is the case, the enable signal is generated;otherwise the blocking signal is generated. The identifier is assignedindividually to the processor unit, so an identifier valid for a givenprocessor unit will be invalid for all other processor units, includingthose of the same design series. Data records may thus be transcribedindividually for each individual processor unit, and data records maynot be copied from one processor unit to another processor unit of thesame design. The identifier is preferably a data word generated by acode word generator which may be a random generator in particular. Thedata word generated by the code word generator may be, for example, asequence of characters or numbers such as a hexadecimal numericalsequence.

This procedure has the advantage that the check on the validity isperformed in the processor unit itself and no manipulable datacommunication with other external devices is necessary for the check.Furthermore, a check may be performed continuously or periodically withthe identifier in the processor unit to determine whether or not theversion currently being used is valid. At the point in time oftranscription of the at least one data record together with theadditional information to the processor unit, no other communicationdevices need be involved. Even when a remote data transmission from thevehicle is impossible, e.g., temporarily, an update may be performed andthe at least one data record may be transferred, assuming it is valid.

According to an advantageous embodiment of the present invention, asignature is part of the additional information; the signature may alsoinclude the identifier used to prevent a replacement of the at least onevalid data record, which is to be transferred together with additionalinformation, with another data record, in particular one that is notvalid. The check on the integrity and acceptability of the signature isthen in particular also a part of the check on the validity of thetransmitted data.

According to a preferred embodiment of the present invention, anidentifier is valid only once for checking the at least one transmitteddata record stored in a buffer memory. This prevents the identifier frombeing intercepted in a transfer and then used for transcribing otherunauthorized data records.

According to another embodiment of the present invention, when theenable signal is generated, the at least one data record is transmittedfrom the buffer memory into a functional memory from which it isoutputtable for processing purposes. This measure advantageously ensuresthat the data record is transmitted to the functional memory only at apoint in time when its validity has already been checked with a positiveoutcome. Thus for transcribing another data record which is recognizedas valid, the last version of the data record recognized as valid isalways stored in the functional memory and read for use there. The datarecord stored in the functional memory is not affected by attempts todownload invalid data records. This always ensures the availability ofthe processor unit. In addition, it is also possible for the identifierto be stored in the functional memory together with the at least onedata record and for the particular identifier to be checked for validitywhen calling up a data record from the functional memory. This ispossible even when the identifier is suitable only for a single check ofa transcribed data record because the data record is now stored in thefunctional memory and is no longer stored in the buffer memory and a newidentifier is necessary only for checking data stored in the buffermemory. This makes it possible to prevent manipulation of the datarecord stored in the functional memory, e.g., by exchanging the memorymodule containing the functional memory. This check may also beperformed only at periodic intervals, e.g., after starting the vehicleor after a predetermined number of calls.

In another advantageous embodiment of a method according to the presentinvention, a list of code words is stored in a code word memory in theprocessor unit. The identifier transmitted together with the at leastone data record is compared with the code word. It is found to bereliable if the identifier of the additional information transmittedwith the at least one data record matches the code word and/or if thecombination of the identifier and the code word conforms to a criterionto be checked. For example, the identifier and code word may be two keyparts of a code, with the combination of code word and identifiertogether permitting encryption and/or decryption of a coded datasequence, so that it is possible to check on whether the code word andthe identifier fit together. In a more extensive embodiment, a counteris provided in the processor unit and its counter content is stored. Thecounter content points to a code word of the code word memory. Thecounter is incremented before each check of an identifier of the atleast one data record stored in a buffer memory, so that a code word maybe used only once for checking newly downloaded data records.

It is important that the list of code words is not outputtable oroverwritable. For this purpose no protocol instructions which wouldallow reading from or writing to the memory area using the numbers viaan external interface are allowed in the processor unit. Additionally oralternatively, the processor unit may be protected from access viahardware pins by embedding. The counter content must be permanentlystored and must be preserved even without a power supply. The countercontent may be stored in an EEPROM in particular. According to apreferred embodiment of the list of code words, they should take up thesmallest possible memory volume in the processor unit; on the otherhand, the length of the code word should be selected so that it isimpossible to discover it by guessing or trial and error. The code wordlength of 32 bits, for example, i.e., four bytes or two hexadecimalnumbers, would be one possible compromise between security and memoryvolume. The memory required for a code word list of 256 code words wouldthen be one kbyte. Since a memory volume in the range of one Mbyte ormore is also available in control units in motor vehicles, a memoryvolume of one kbyte is a relatively small volume. In an advantageousembodiment, the number of code words in the list should also be selectedto be as small as possible but should be adapted to the demand fortranscription of data records to the processor unit during its lifetime.Although a cyclic run through the list of code words may also bepossible, the code words could also be discovered by a third party dueto their repeated use, which results in a certain laxity in terms ofsecurity.

As protection against discovery of the required identifier to betranscribed, it is possible to provide for a new identifier to benecessary for each attempted transcription of at least one data record.On the other hand, it should be noted that the data transmissions mayalso have interference and therefore multiple transmission attempts maybe required under some circumstances until the at least one data recordand the additional information are transmitted to the buffer memory. Toavoid having to input a new identifier into the additional informationfor each transmission attempt while at the same time using a largenumber of code words, it is possible to provide for the check on theidentifier not to take place until the thoroughness and accuracy of thetransmission of the data to the buffer memory have been ascertained. Todo so, in particular the data stored in the buffer memory or a signaturederived therefrom may be compared with the data of the data source.Confirmation by the operator may also be requested, in which case theoperator must acknowledge the transmission as being in order before thecheck of the identifier is performed. Since a different code word isused and thus also spent with each check of the identifier in theprocessor unit, discovery of the required identifier by systematic trialand error is impossible.

Additionally or alternatively, it is also possible that after a definednumber of false attempts, an equal number of successive identifiers mustalso be transmitted as additional information and checked for validity.It is also conceivable to provide a delay element which increases thetime required for an individual attempt so that not all possibilitiesmay be checked out within a foreseeable period of time.

According to a preferred embodiment of a method according to the presentinvention, the processor unit is identifiable based on an identificationsequence. The identification sequence is preferably also part of theadditional information and may be used in checking the validity of theat least one data record. By linking the identification sequence to theadditional information, it is possible to check on whether the at leastone data record is also intended for input into the processor unit. Theidentification sequence is in particular a character sequence which maybe read in the processor unit but may not be overwritten; it is assignedindividually to the processor unit and is issued only once and thusdifferentiates the processor unit from all other processor units of thesame design.

According to an advantageous embodiment, to perform the method accordingto the present invention, valid identifiers, preferably in the form of alist, are stored in an identifier server assigned to the correspondingprocessor unit, e.g., via the identification sequence, for at least onecontrol unit, but preferably for a plurality of control units. Thecounter content of the counter of the processor unit is preferablystored here together with the identifiers, so that the code word serveralways knows the next identifier to be used, which may be transmitted toan authorized party on request, for example. It is possible for theauthorized party to request the required identifier from the identifierserver and then establish the link between the identifier and the otheradditional information as well as the at least one data record. It isalso possible for the authorized party to transmit the data required byit to the identifier server and then to process the at least one datarecord and the additional information in the identifier server inparticular using additional security measures such as encryption andaddition of signatures. A total data record to be transmitted to thebuffer memory is generated and then is transmitted to the authorizedparty for input into the processor unit or is transmitted directly tothe processor unit. In the latter option, a check may be performed inthe identifier server to determine whether it is allowed to input the atleast one data record into the processor unit before the additionalinformation has been appended to the identifier.

If the identifier is transmitted to the data source, it is only possibleto check on whether it is authorized to generate and/or transcribeallowed data records. Due to the required query at the identifier serverfor determining the required identifier, it is possible to document ahistory of accesses in the identifier server. It is then possible totrace the accesses back. Therefore, e.g., in cases of misuse ofidentifiers that have been issued, it is possible to ascertain thesource of the misuse.

A processor unit according to the present invention has a buffer memoryand an overwritable functional memory, both of which are used forstoring at least one data record. The functional memory is accessedduring the operation of the processor unit. At least one data recordtogether with additional information is transferrable to the buffermemory via an interface. A check unit for checking the validity of theat least one data record on the basis of an identifier contained in theadditional information according to one of the preceding methods iscontained in the processor unit. According to a preferred embodiment ofthe present invention, the processor unit has a read-only code wordmemory. Code words are stored in the code word memory. A counter havingan incrementable counter content is assigned to the code word memory.The counter preferably points to a code word in a list of code words ofthe code word memory, in particular of code words that may be used onlyonce. The processor unit in particular is individualized via anidentification sequence. In the case of a processor unit according tothe present invention, this is preferably a control unit for a motorvehicle.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows schematically a block diagram of the identifier server, thedata source and the processor unit.

FIG. 2 shows a flow chart of a method according to the presentinvention.

DETAILED DESCRIPTION

FIG. 1 shows schematically the functional elements that cooperate inimplementing a method according to the present invention. At least onedata record 12 is to be transmitted from data source 10 to processorunit 20. Data source 10 is, for example, a data processing device whichis prepared in a factory or service shop, while processor unit 20 may bea control unit in a motor vehicle. In addition, an identifier server 18which is also required is provided and managed centrally by theautomobile manufacturer and thus ensures good and reliable accesscontrol to the code words.

Processor unit 20 has an interface 21 for transcribing data. Buffermemory 22 is used for storing the data incoming at interface 21. Thevalidity of the data stored in the interface is checked in checking unit23, which accesses an element of the list of code words 25 a, 25 b, 25c, 25 d of code word memory 25 via counter 24. If the data is recognizedas valid, it may be transferred in a controlled manner via the checkingunit from buffer memory 22 into functional memory 26. A central computer27 of the processor unit, a CPU, accesses functional memory 26 toprocess tasks. Programs that are capable of running on CPU 27 may bestored in functional memory 26 with suitable encryption along withinformation that is necessary during the execution of a program such asparameter values, engine characteristics maps and the like. Programs aswell as information used in running programs may therefore be input toprocessor unit 20 by a method according to the present invention. Theprocessor unit is identifiably individualized by identification sequence14, which is readably stored.

Data source 10 is a total data record 11 which is to be transcribed toprocessor unit 20. Data source 10 may be data processor units, shopinstruments or data media, in particular read-only data media. Totaldata record 11 is divided into at least one data record 12, which is tobe introduced into functional memory 26 and contains the program codeand/or the information required during the running of a program plusadditional information 13. The additional information includes at leastone identifier 15 b, but may also contain other information such as anidentification sequence 14.

In identifier server 18, one identifier data record 19 is stored for aplurality of processor units 20. Identifier data record 19 isidentifiable via identification sequence 14 and is assignable toprocessor unit 20 having the same identification sequence 14. Anidentifier data record 19 contains a counter 24 whose counter content isincremented each time an element is called up from the list ofidentifiers 15 a, 15 b, 15 c, 15 d of identifier memory 10. In addition,there is a protocol data file 16 in which the output of each individualidentifier 15 a, 15 b, 15 c, 15 d to a data source 10 together with thereceiver, the transmission path and the point in time of thetransmission, for example, are recorded. The transmission of informationbetween identifier server 18 and data source 10 may be accomplished byremote data transmission, e.g., wireless, Internet or the like. In thefirst examples of processor unit 20, the list of identifiers 15 a, . . ., 15 d of code word memory 15 and the list of identifiers 25 a, . . . ,25 d of code word memory 25 are generated using data and stored incorresponding memories 15, 20.

FIG. 2 shows the flow chart of a method for transmitting at least onedata record 12 to processor unit 20, as implementable, for example, in aconfiguration of computer 20, data source 10 and identifier server 18according to FIG. 1. Steps 201 through 205 illustrate the stepsperformed before the actual transmission of the at least one data record12, while steps 206 through 212 are the steps performed in the actualdata transmission.

According to step 201 of the method, the at least one data record 12which is to be transmitted to processor unit 20 is made available.According to step 202, processor unit 20 is then identified, e.g., byreadout of identification sequence 14 over interface 21. Alternatively,the identification may also be performed manually by readingidentification sequence 14 which is readably stored in processor unit 20and by detecting it manually or via an optical reader.

According to step 203, identifier server 18 is then queried for therequired identifier. The identification sequence previously read istherefore transmitted to the identifier server. On the basis of theidentification sequence, identifier data record 19 assigned to specificprocessor unit 20 is accessed in the identification server. It is alsopossible here for the current counter content of counter 24 of theprocessor unit to be transmitted for the purpose of synchronization ofthe counter contents. A check is performed to determine whether it ispermissible to transmit the identifier to the inquiring unit; if this isnot the case, access is refused and the method is then terminated. Acheck may also be performed to determine whether data records 12 whichare intended for transcription have been enabled and are allowed to betranscribed. This transfer thus takes place only to an authorized andidentified inquiring unit.

If allowed according to step 204 of the method, valid identifier 15 b ofidentifier list 15 is output next. Counter 24 of identifier server 18 isfirst incremented, but before that, there may be a matching to atransferred counter content so that the counter content points to thenext identifier which has not yet been used. According to the countercontent which then prevails (which is 2 in the example shown in FIG. 1),an identifier 15 b of identifier memory 15 assigned to the countercontent is read and transmitted to the data source. At the same time,protocol data file 16 is supplemented by the information assigned to thenew query of the identifier.

According to step 205, complete data packet 11 is then generated in datasource 10. The complete data packet is composed of the at least one datarecord 12 and additional information 13 assigned to it; in the exemplaryembodiment depicted in FIG. 1, this is made up of identifier 15 btransmitted from identifier server 18 and identification sequence 14;additional information 13 may also contain additional data. Thus onconclusion of step 205, a total data record 11 is available and may betransmitted to processor unit 20. The actual transcription of the atleast one data record 12 to processor unit 20 may take place at aseparate time and place from these preparatory steps. To do so,according to step 206, first complete data packet 11 is transmitted viainterface 21 to buffer memory 22. The check of the transmitted data forvalidity is started by checking unit 23 by terminating the transmissionand optionally after confirming the successful conclusion of thetransmission procedure, which may also be generated by an operator, forexample.

For this purpose, according to step 207, checking unit 23 first accessescounter 24, whose counter content is incremented accordingly with thisaccess. The counter content points to a code word 25 a, 25 b, 25 c, 25 dof code word list 25 according to step 208; in the case shown in FIG. 1at counter content 2, to code word 25 b, which is then transmitted backto checking unit 23.

According to step 209, a check is performed on the basis of code word 25b and identifier 15 b to determine whether the at least one data record12 is valid and may be stored in the processor unit. The check mayinclude in particular a comparison to look for a match between code word25 and identifier 15 b. If it is found according to step 210 that thedata record is not valid, then the blocking signal is generated and theprogram jumps back to step 211. According to step 211, the data storedin buffer memory 22 is then erased and the method is terminated withouttransferring the at least one data record 12 to functional memory 26.Thus the at least one data record 12 cannot be used in central processorCPU 27 of processor unit 20. The transmission is thus terminatedunsuccessfully.

If validity is recognized in step 210, the enable signal is generatedand the program jumps to step 212 and at least the at least one datarecord is transmitted from buffer memory 22 to functional memory 26. Inits operation, central computer 27 of processor unit 20 accessesfunctional memory 26, taking into account the data stored in functionalmemory 26, which may include both program code for central processor 27and information queried in executing a program, e.g., enginecharacteristic maps and control parameters. During this transmissionprocedure, data contained in the functional memory and to be replacedmay be overwritten. To do so, functional memory 27 may be in particulara flash memory which may be supplied with new data by flashing. Thetransmission method is then terminated.

1-12. (canceled)
 13. A method for transcribing at least one data recordof an external data source to a processor unit, comprising: transmittingthe at least one data record from the external data source together withadditional information to a buffer memory of the processor unit, theadditional information including an identifier assigned individually tothe processor unit; performing, in the processor unit, a check of anadmissibility of a use of the at least one data record on the basis ofthe additional information; generating a blocking signal when the checkindicates that the use of the at least one data record is not allowed;deleting the at least one data record from the buffer memory; andgenerating an enable signal when the use of the at least one data recordis allowed.
 14. The method as recited in claim 13, wherein theidentifier is valid only once for checking the at least one data recordthat has been transmitted and stored in the buffer memory.
 15. Themethod as recited in claim 13, wherein when the enable signal has beengenerated, the at least one data record is transmitted from the buffermemory to a functional memory from which the at least one data recordmay be read.
 16. The method as recited in claim 15, further comprising:storing the identifier and the at least one data record in thefunctional memory; and checking the identifier when calling up the atleast one data record from the functional memory.
 17. The method asrecited in claim 13, further comprising: storing a list of code words ina code word memory of the processor unit; comparing the identifier withat least one of the code words; and determining a presence of validitywhen the at least one of the code words and the identifier match. 18.The method as recited in claim 13, further comprising: storing a list ofcode words in a code word memory of the processor unit; comparing theidentifier with at least one of the code words; and determining apresence of validity when the at least one of the code words and theidentifier are identical.
 19. The method as recited in claim 17, furthercomprising: storing a counter content of a counter, wherein the counterpoints to one of the code words of the code word memory; andincrementing the counter content of the counter before each check of theidentifier of the at least one data record stored in the buffer memory.20. The method as recited in claim 13, wherein: the processor unit isidentifiable by an identification sequence, and the identificationsequence is part of the additional information and is used in the checkof the at least one data record.
 21. The method as recited in claim 13,further comprising: storing valid identifiers for the processor unit inan identifier server.
 22. The method as recited in claim 13, furthercomprising: retrievably storing identifiers in a code word server for aplurality of counter contents of a counter, the identifiers beingallocatable to the processor unit via an identification sequence.
 23. Aprocessor unit, comprising: a buffer memory; a rewritable functionalmemory that is accessible during an operation of the processor unit, thebuffer memory and the rewritable function memory being capable ofstoring at least one data record; an interface for importing the atleast one data record and additional information into the buffer memory;and a check unit for checking a validity of the at least one data. 24.The processor unit as recited in claim 23, further comprising: aread-only code word memory for storing code words; and a counterincluding an incrementable counter content that points to one of thecode words, wherein the processor unit is individualized via anidentification sequence.
 25. The processor unit as recited in claim 23,wherein the processor unit is a control unit of a motor vehicle.